Domain Placement w/ Office 365

You can have multiple domains tied to your Office 365 Tenant. Also, you may have a domain that you own that isn’t a part of your tenant.

When you sign up for something that makes uses of the AdHoc Subscription feature of Azure Active Directory/Office 365, such as Power BI, if no one from a given domain/organization has signed up before, a Shadow Tenant will be created. You may find that you have your main tenant, and someone signs up with another domain you own which inadvertently created a shadow tenant, and now you want to bring that over to your primary tenant.

I’ll use my Guy in a Cube domains as the example here. I have my Tenant for my organization and I used guyinacube.com for it. We ended up buying an associated domain, guyinacube.org. I haven’t added that domain to my tenant yet. Joe goes ahead and signs up for Power BI using joe@guyinacube.org. This ends up creating a shadow tenant for the ORG domain because Joe is the first one to sign up for it and no one owned it.

So, now, I want to move the ORG domain over to my primary tenant. When you go into the Office 365 Admin Portal and try to add the ORG domain to the primary tenant, you will see an error like the following.

guyinacube.org was already added to a different Office 365 account guyinacubeorg.onmicrosoft.com.

This error is because there is another tenant that owns guyinacube.org. You can only have one owner of a domain. This was because of the Shadow Tenant. If no one has taken ownership of the Shadow Tenant, you’ll need to go through the IT Admin Takeover process. Once that is done, or you already had ownership of it, you can follow these steps to get the domain moved.

NOTE: If you don’t have access to the Shadow Tenant, or don’t know who can get into it, you will need to open a support ticket to get further assistance.

Create OnMicrosoft.com Admin Account

In order to do this, we have to remove all remnants or guyinacube.org from the secondary domain. This includes all users and the domain itself. Buf, we need to have at least one Global Admin as part of the domain, so we need to add a new user for the onmicrosoft.com domain that is part of the tenant.

We need to log into the guyinacube.org Tenant. Go to Users > Active Users, and add a new user.

Once that is done, we can go into that user, and go to roles. Select Global Admin and add the alternate email address.

Now we can sign out and sign back in with our guyinacubeorg.onmicrosoft.com account to finish the rest of the steps.

Delete All Accounts except the onmicrosoft.com account

We want to remove all users tied to the domain we are interested in. Assuming you haven’t added multiple custom domains, the only account left should be the onmicrosoft.com account that we just created.

NOTE: You will lose all data tied to these users. Make sure you have gotten anything out that you want to keep that is possible.

Delete Domain

Once the users are gone, we can go to Domains within the Admin Portal, and delete the domain in question.

Between the time of deleting the domain in this tenant, and adding the domain back into your primary tenant, there is a window of opportunity for someone to sign up and create another Shadow Tenant. It is probably a good idea to do this at a time that most users won’t be doing anything.

This action will remove the domain from Azure Active Directory as well.

Add Domain to Primary Tenant

Now we can sign back into our primary tenant, go to Domains within the O365 Admin Portal and add the domain there. It may already be listed from a previous attempt and you can just click on Start Setup.

This will walk you through the domain verification process. For that, you will need to add the TXT record to your DNS to prove you own it.

You can skip Step 2 of adding users if you want. You can always do that later. Step 3 will setup any additional DNS records such as MX for use with other Office services like Exchange Online for mail. If you are unsure about this, go ahead and uncheck any items listed and hit next. and then get with your DNS/Mail administrator.

When that is done, you will see the domain in your list and it will show Setup Complete.

You can now create new users with that domain, and people that sign up for Power BI with that domain will be added to this tenant.